Channels

Services

Study says silent updates enhance security

Updating browsers without first asking users is apparently the most successful way of ensuring wide distribution for the latest version – thus minimising the number of vulnerable browsers. A joint study by Google Switzerland and the ETH (Swiss Federal Institute of Technology) in Zurich concludes that, if an update requires too much user interaction or effort, users will either abort the process or fail even to run it.

Updating Opera requires a manual download and the subsequent installation involves several dialogues, so only 24 per cent of the users observed installed the latest version, says the study, but things are precisely the other way round with Google's Chrome: if an update is available, it's downloaded and installed without the user's being consulted ("silent update"). Twenty-one days after the provision of an update, 97 per cent of the Chrome users observed were using the current version. It isn't possible to disable automatic updating in Chrome anyway.

In the case of Firefox, 85 per cent of users were surfing with the latest version 21 days after its release, while the figure for Safari was 53 per cent. The researchers say their web servers were unable to make any measurements for Internet Explorer because it doesn't provide enough information about its patch state.

On the basis of their results, the authors of the study recommend that browser developers implement silent updates, given their obvious advantages. Opera at least is planning to introduce automatic updating for its coming version 10, but it probably still won't work without user involvement.

The authors also call for changes to patch strategies and patch cycles, pointing out that Microsoft's rigid monthly Patch Day is primarily an obeisance to its business clients, who require fixed times for updating their infrastructures. When there are critical vulnerabilities in Internet Explorer, however, they say it's hard to see why millions of other users should have to remain unprotected for a long time until the next Patch Day. Qualys, a provider of security services, complained in February about IE patches not being issued separately from other security updates, so that plugging holes took several weeks.

Although silent updates offer many users enormous advantages from a security point of view, they also involve a loss of control. Not every user may fancy having new and unrequested versions thrust on to the hard disk after an initial deliberate installation has been made. It also needs to be clarified whether silent updates ought to be restricted to security measures, or whether new functions might also be secretly incorporated into systems.